Oracle Issues Critical Java Update, Plugging 42 Vulnerabilities

Oracle issued a massive update to its highly targeted Java software, fixing 42 Java vulnerabilities, including 39 serious flaws that can be remotely exploited by attackers.

The Java fixes were part of more than 100 security updates issued by Oracle across its product line. The Java updates in Java 7 Update 21 can be used by cybercriminals in a variety of attack scenarios, including drive-by attacks if a victim visits an infected website.

Oracle said 19 of the flaws are extremely critical, carrying the maximum score in the Common Vulnerability Scoring System (CVSS), the standard scoring system used by many software vendors for assigning a severity level to coding errors. Security experts say it won't take long for malware writers to develop an exploit targeting some of the flaws.

The security updates also impact Mac users, with Apple issuing the Java patches for Safari users in version 6.0.4 for OS X Mountain Lion and Lion and version 5.1.9 for OS X Snow Leopard. Apple also released updated versions of Java 6.

The Java SE update includes two bug fixes that can affect server deployments of Java, warned Eric Maurice, Oracle's director of software assurance, in a blog post announcing the patch release. Maurice said Oracle recommends the updates be applied immediately.

"Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a Web service), and one of these bugs actually require local access to be exploited," Maurice wrote.

Oracle said administrators testing the fixes can restrict Java until the patches are applied. The Redwood Shores, Calif., company also warned that the update may break application functionality, urging patching administrators to thoroughly test changes on nonproduction systems.

Oracle has been heavily scrutinized over its handling of Java following increased interest by attackers targeting bugs in the widely deployed software. Many of the attacks are being driven by automated attack toolkits. A study conducted by security firm Websense found that only 5.5 percent of Java-enabled browsers are running the latest Java plug-ins. Many of the Java components used in the browser deployments it analyzed were more than six months old, Websense found.

Targeted attacks were up 42 percent in 2012, according to an analysis conducted by Symantec. Some of the attacks use known vulnerabilities, including Java, Kevin Haley, director of Symantec Security Response, told CRN. Manufacturing is one of the top verticals being targeted, Haley said.

"The bad guys are working their way down the supply chain," Haley said. "The quest for intellectual property has moved from the large company down to the small companies because there are less defenses and much easier targets."

Interest in Java is also having an impact on Web-based attacks, according to Cupertino, Calif.-based Symantec, which said Web-based attacks are up 30 percent with 61 percent of drive-by attacks detected on legitimate websites that had been infiltrated by attackers.

"The bad guys are taking advantage of the vulnerabilities in these websites and then in browser plug-ins, driving up Web-based attacks," Haley said. "It's a very popular method for distributing malware."

Oracle has been releasing updates more frequently to address known issues. It issued an emergency Java update in March, fixing critical holes in the software that were being targeted by attackers in the wild.